From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Adam Porter Newsgroups: gmane.emacs.devel Subject: Re: [ELPA/elpa-admin] Render README.org as ASCII with ox-ascii Date: Sun, 29 Aug 2021 21:15:13 -0500 Message-ID: <87v93ny8y6.fsf@alphapapa.net> References: <87h7f7zww5.fsf@alphapapa.net> <0d8b81d8-e923-dc17-e815-3b1082a20a12@gmail.com> <878s0jztpm.fsf@alphapapa.net> <7bc9ba82-e32a-291a-96a0-315d814d6943@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="24230"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Mon Aug 30 04:21:19 2021 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mKWvH-00064F-Mg for ged-emacs-devel@m.gmane-mx.org; Mon, 30 Aug 2021 04:21:19 +0200 Original-Received: from localhost ([::1]:35308 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mKWvG-0005KP-8i for ged-emacs-devel@m.gmane-mx.org; Sun, 29 Aug 2021 22:21:18 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:43070) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mKWu6-0004dx-RW for emacs-devel@gnu.org; Sun, 29 Aug 2021 22:20:06 -0400 Original-Received: from ciao.gmane.io ([116.202.254.214]:45978) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mKWu4-0005g2-Ih for emacs-devel@gnu.org; Sun, 29 Aug 2021 22:20:06 -0400 Original-Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1mKWu2-0004WP-2n for emacs-devel@gnu.org; Mon, 30 Aug 2021 04:20:02 +0200 X-Injected-Via-Gmane: http://gmane.org/ Received-SPF: pass client-ip=116.202.254.214; envelope-from=ged-emacs-devel@m.gmane-mx.org; helo=ciao.gmane.io X-Spam_score_int: -15 X-Spam_score: -1.6 X-Spam_bar: - X-Spam_report: (-1.6 / 5.0 requ) BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:273453 Archived-At: Clément Pit-Claudel writes: > The scary part is not so much altering a package (or a few packages) > with bad code (though that is scary), but having the ability to alter > all of them (sure, you could push to all package branches, but that's > more easily detected that altering one readme). Yes, we should be very careful about that, and I'm glad people like you and Stefan are keeping it in mind. :) In fact... >> Also, AFAIU, ELPA already runs Makefiles for packages as part of the >> build process, and those can run arbitrary code, which I guess could do >> things like modify other packages, modify the build process or scripts, >> or anything else that the user account the build process runs as could >> do on the server. > > Good catch, and indeed given this running org doesn't make things > worse. Thanks. As Stefan mentioned, it appears that he's is way ahead of both of us, as he's already implemented some sandboxing in the build process. :)